OpenSSH public key problem with Solaris 10
Erich Weiler
weiler at soe.ucsc.edu
Sat Jul 1 00:04:20 EST 2006
Hi ya'll-
I've got this odd openssh problem with Solaris 10 I was hoping someone
could shed some light on. Not sure if it is a bug... Basically I'm
trying to use pubkeys as an auth method, but am having issues. I can
log in using passwords no problem, but as soon as it notices a matching
public key it closes the connection. I ran the sshd server (on Solaris
10 box) in debug mode and got this output when I tried to log in:
% sshd -d
debug1: sshd version OpenSSH_4.3p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/local/openssh.10/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 11
debug1: inetd sockets after dupping: 4, 4
Connection from 128.114.48.86 port 49490
debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_4.3
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user weiler service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "weiler"
debug1: PAM: setting PAM_RHOST to "banshee.cse.ucsc.edu"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for weiler from 128.114.48.86 port 49490 ssh2
Failed none for weiler from 128.114.48.86 port 49490 ssh2
debug1: userauth-request for user weiler service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys2
debug1: matching key found: file
/cse/tstaff/weiler/.ssh/authorized_keys2, line 2
Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
debug1: restore_uid: 0/0
Postponed publickey for weiler from 128.114.48.86 port 49490 ssh2
debug1: userauth-request for user weiler service ssh-connection method
publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys2
debug1: matching key found: file
/cse/tstaff/weiler/.ssh/authorized_keys2, line 2
Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Access denied for user weiler by PAM account configuration
debug1: do_cleanup
debug1: PAM: cleanup
Failed publickey for weiler from 128.114.48.86 port 49490 ssh2
debug1: do_cleanup
debug1: PAM: cleanup
%
Again, If I move my public key out of the way and try to log in with a
password it works fine. Since it mentions my PAM configuration, here's
my /etc/pam.conf file:
login auth requisite pam_authtok_get.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth sufficient pam_krb5.so.1
login auth sufficient pam_ldap.so.1
#
dtsession auth sufficient pam_unix_auth.so.1
dtsession auth sufficient pam_krb5.so.1
dtsession auth sufficient pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient pam_krb5.so.1
other auth sufficient pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_passwd_auth.so.1
passwd auth sufficient pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
passwd account sufficient pam_unix_account.so.1
passwd account sufficient pam_ldap.so.1
#
other account sufficient pam_unix_account.so.1
other account sufficient pam_ldap.so.1
other account sufficient pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session sufficient pam_unix_session.so.1
other session sufficient pam_ldap.so.1
other session sufficient pam_krb5.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
Would any of you guys happen to have a clue as to where I'm going wrong?
Thanks a million in advance!
ciao, erich
More information about the openssh-unix-dev
mailing list